CVE-2026-3954

Vulnerability

Analysis

A path traversal vulnerability exists in OpenBMB XAgent 1.0.0, specifically in the workspace function of the file XAgentServer/application/routers/workspace.py. The vulnerability also manifests in the ToolServerNode's /upload_file endpoint, where the file_name argument is taken directly from user-supplied multipart upload data without sanitization [1][2]. The filename is passed to os.path.join() with the intended work directory (/app/workspace/), but because no validation is performed, an attacker can include ../ sequences to escape the intended directory [1][2].

Exploitation

The attack can be initiated remotely without authentication. The ToolServerManager, which acts as an external-facing proxy on port 8080, forwards the raw HTTP body to the ToolServerNode, which processes the upload [1][2]. An attacker simply sends a multipart POST request to /upload_file with a filename such as ../../tmp/pwned. The os.path.join() call resolves the path to /tmp/pwned, bypassing the intended workspace restriction [1][2]. No calls to os.path.basename(), no ../ stripping, and no allowlist validation are performed [1][2].

Impact

Since the ToolServerNode container runs as root, an attacker can write arbitrary files to any location on the container's filesystem [1][2]. This could allow overwriting application code, planting cron jobs, or dropping SSH keys, leading to full control over the container [1][2]. The project has been informed of the problem through an issue report but has not yet responded [1][2]. No patch or workaround has been released as of the publication date [1][2].

Mitigation

The project has been informed of the problem through an issue report but has not yet responded [1][2]. No patch or workaround has been released as of the publication date [1][2]. Users should consider restricting network access to the ToolServerManager and ToolServerNode endpoints until a fix is available.